IBM Security Verify Access: Rights extension possible

The IBM Security Verify Access and IBM Verify Identity Access security software for identity and access management (IAM) is vulnerable to attacks. IBM is currently warning of three security vulnerabilities, one of which is even considered a critical risk.

In the security notice, IBM explains that local logged-in users can extend their rights to “root” as the software is executed with higher rights than necessary (CVE-2025-36356 / EUVD-2025-32573, CVSS 9.3, risk “critical”). In addition, logged-in users can execute malicious scripts from outside their area of control (CVE-2025-36355 / EUVD-2025-32575, CVSS 8.5, risk “high”). The third vulnerability allows users who are not logged in to execute arbitrary commands with lower user rights, as the software does not adequately check user-supplied data (CVE-2025-36354 / EUVD-2025-32574, CVSS 7.3, risk “high”).

Updates close the vulnerabilities

IBM is patching the vulnerabilities with the versions IBM Security Verify Access 10.0.9.0-IF3 and IBM Verify Identity Access 11.0.1.0-IF1. The appliances and the Docker containers of the security solution are affected. IT managers should apply the updates to these versions as soon as possible. IBM advises them to do this as soon as possible.

Calling the command docker pull icr.io/isva/verify-access:[tag] brings IBM Security Verify Access up to date; for IBM Verify Identity Access, this is done by calling docker pull icr.io/ivia/verify-access:[tag]. IBM lists the correct tags for this on its website.

At the end of last year, IBM had to close four security vulnerabilities in Security Verify Access. Three of these were considered critical risks. Two vulnerabilities involved hardcoded access data – which could be misused as a backdoor for unauthorized logins.

(dmk)